Apple’s iOS contains intentionally created access that could be used by governments to spy

Last weekend, a hacker who’s been campaigning to make a point about Apple security by playing fast and loose with the now widely-accepted definition of “backdoor” struck gold when journalists didn’t do their homework and erroneously reported a diagnostic mechanism as a nefarious, malfeasant, secret opening to their private data.

Speaking at the Hackers On Planet Earth conference in New York, Jonathan Zdziarski said that Apple’s iOS contains intentionally created access that could be used by governments to spy on iPhone and iPad users to access a user’s address book, photos, voicemail and any accounts configured on the device.

As he has been doing since the Snowden documents started making headlines last year, Mr. Zdziarski re-cast Apple’s developer diagnostics kit in a new narrative, turning a tool that could probably gain from better user security implementation into a sinister “backdoor.”

The “Apple installed backdoors on millions of devices” story is still making headlines, despite the fact that respected security researchers started debunking researcher Jonathan Zdziarski’s claims the minute people started tweeting about his HopeX talk on Sunday.

Since Mr. Zdziarski presented “Identifying back doors, attack points, and surveillance mechanisms in iOS devices”, his miscasting of Apple’s developer diagnostics as a “backdoor” was defeated on Twitter, debunked and saw SourceClear calling Zdziarski an attention seeker in Computerworld, and Apple issued a statement saying that no, this is false.

In fact, this allegedly “secret backdoor” was added to diagnostic information that has been as freely available as a page out of a phone book since 2002.

The packet capture software used for diagnostics referenced by Mr. Zdziarski in support of his claims is similar in functionality as the one that’s installed on every Apple laptop and desktop computer for diagnostics.

So his numbers of “backdoors” allegedly installed by Apple for wide-ranging nefarious purposes are off by like, a billion.

It appears that no one reporting Zdziarski’s claims as fact attended his talk, watched it online, and less than a handful fact-checked or consulted outside experts.

Which is, incidentally, what I did. I saw the talk begin to gain momentum on Twitter, then quickly flushed the idea of a story when the researchers I consulted kindly told me there was no “there” there.

Mind you, I’m quick to call Apple on its issues.

Among many other articles about Apple security vulns and hacks, I was first to report seeing an iPhone getting hacked in 60 seconds with a malicious charger, and when Apple said that intercepting (and spoofing) iMessage was only “theoretical” I provided video proof of the exploit.

Regardless of the problems with Mr. Zdziarski’s sermon, the (incorrect) assertion that Apple installed backdoors for law enforcement access was breathlessly reported this week byThe Guardian, Forbes, Times of India, The Register, Ars Technica, MacRumors, Cult of Mac, Apple Insider,InformationWeek, Read Write Web, Daily Mail and many more (including ZDNet).

People were told to essentially freak out over iPhones allowing people who know the passcode and pairing information to use the device.

If you’re the kind of person that walks into a public library, plugs in your iPhone and gives the public computer and every rando who accesses it permission to access everything on your phone forever, then okay, maybe you should freak out.

The entire incident has cemented mistrust about journalists in infosec communities to the media mess hasn’t been kind.

“I meant a different kind of backdoor”

The researcher erroneously stated that Apple “confirmed” his allegations when in fact the company had done the opposite.

In light of much debunking in security communities and Apple’s statement, Zdziarski published a blog post backpedaling on the interpretation of “backdoor” — yet still affirmed his narrative.

According to OWASP, a “backdoor” is defined as:

A hidden entrance to a computer system that can be used to bypass security policies (MS definition).

An undocumented way to get access to a computer system or the data it contains.

A way of getting into a guarded system without using the required password.

When Apple explained the diagnostics tool set and published a detailed support document, Zdziarski said that Apple’s acknowledgement of its not-secret developer tools only proved him right, and that this meant Apple was admitting to his claims of making iOS vulnerable to authorities’ snooping by design.

Zdziarski says he “doesn’t believe for a minute that these services are intended solely for diagnostics.”

And with one word — “believe” — we have the nut of what’s becoming a big problem in the state of security and journalism for everyone.

Whose definition of backdoor to believe, among other things, is left for us to decide.